AVirCAP aka: CODE(red)Hunter V2.0 Public Release 09-25-2001
===========================================================
check for updates at http://www.romlist.com/codered
Purpose:
========
This system is made to passive monitor of the network. It's looking for
certain GET activities issued to port 80 on the webservers. In this case
it's
looking for CODE RED and NIMDA attacks. Although it's easy to modify the
package to
monitor for virtually whatever you want. It's just a matter of selection
criterias. All
you need is some basic knowledge about regular expressions.
The package itself is a complete webserver including PHP and MySQL. It's
a VERY
powerfull package capable of doing virtually whatever you want.
AVirCAP was previously known as Code(Red) Hunter. Although I decided
to develop this
tool a bit further and a namechange was needed.
Legal:
======
AVirCAP team takes no responsibility for ANY harm caused due to use of
AVirCAP.
Use it at own risk!
Licence:
========
All software included in this package is copyrighted by their owners.
You may include this package onto PC Magazines CD-ROM's or similar packages.
But it is
forbidden to commercially make money on this package. It's released to
be free and let
us have it that way.
All I ask for is input about the package, please let me know if you use
it.
Package contents:
=================
AVirCAP concists of following components:
Apache 1.3.20
WinCron 1.0
PHP 4.0.6
MySQL 3.23.32
You are not able to install the components one by one. It's all or nothing
:-)
Installation:
=============
Run the codehunt.exe to install. When installation is finnished from
the programs menu
chose "AVirCAP - Start AVirCAP". I recommend you move this into
the AUTOSTART folder.
Or install Apache as a service.
A Dos window for Apache will apear. DO NOT close it.
Test the installation by surfing to 127.0.0.1 (localhost). A welcome
screen should appear.
Click on the reports to try them.
*WARNING* with this packade i've included a sample access.log file containing
CODERED and
NIMDA attack logs. If you want to get rid of it in the future. Just stop
the apache service,
delete C:\redhunt\logs\access.log and restart the service again.
Configuration:
=============
I strongly recommend that you take a look at C:\REDHUNT\HTDOCS\INFO.PHP.
It contains quite
a lot of options for you to alter the configuration with. It's all documented
in the comments.
Moste important variable to change is the IP-Adress for the FTP server
(if you want to use
that feature) and the MAIL/NOMAIL aption.
Reporting:
==========
To access the reports connect with your webbrowser to the host's IP Address
or to http://127.0.0.1
if its on the local machine.
The system issues reports in a few ways. Either on screen, sent by ftp
to another
server, email:ed to your email address and it's also stored in a local
MySQL database which you
can access via ODBC or using the mysql client. The FTP and EMAIL options
is great if you setup a
big network of AVirCAP machines.
You can aswell display on-screen reports in diffrent flavours as: "Detailed
attack information
per host." This reports includes a subset of reports.
By defult CRH is shipped with WinCRON. It's a CRON utility similar to
the UN*X
versions of it. The Cron is set up to run reports every 12:th hour. Although
intervalls
can be changed by editing C:\REDHUNT\CRONTAB. Please refer to the WinCRON.HTML
for
more information.
If you want to automate reporting using the 'AT' command from WINNT/2K
or using
other kinds of task schedulers. Here's the commandline to use: (yeha you
can run PHP from DOS!)
ref = Is not displayed in onScreen and mail reports it's Null
datetime = well figure it :)
hostip = The IP Adress of the offensive host
type = Type 1 and 2 stands for CodeRed I and II. 3 and above is NIMDA
types of attacks.
Problems?:
==========
It's possible that APACHE will go crazy if you already have other applications
listening
to port 80. Try to identify them and dissable them. Since CodeRed´and
Nimda ONLY strikes on
port 80 it's impossible to move this to another port.
All relevant variables is listed in the debugwindow. (http://localhost).
Pay attention to it.
I do personally run AVirCAP on a machine that runs a web-mail server
on another
TCP/IP port. Although if you're not sure of what you're doing I recommend
you to use
old obsolete computers for this purpose.
In some cases when using Webproxies it's possible that you are re-directed
to the wrong
address. In my case I was redirected to the corp Proxy administration.
It's not a bug with
AVirCAP, more probably that proxy configuration.
Uninstall:
==========
Use the provided uninstall in the Program's menu. You can also use C:\REDHUNT\nsuninst.exe
Beware, when uninstalling it really deletes *EVERYTHING* that is inside
the C:\REDHUNT folder.
Please make sure to backup files you maybe want to keep.
History:
========
Ver 2.0
*RENAMED Code(Red) Hunter is nowmore known as AVir(us)CAP(turer)
*NEW Finds NIMDA typ of attacks
*NEW Detailed attack information per host is added. It includes DNS-lookup,
Attacktyp and amount
of attacks issued per host.
*NEW Simplified Search routines. New viruses/attack types can be easily
added.
*ADD More configurable Fileupload and Mailsend options.
*NEW Debug information is displayed in the index.php screen. (http://127.0.0.1/index.php)
*FIX A shameless bug which made FTP reports to cease working.
*UPGRADE Upgraded Apache into 1.3.20
Ver 1.5
*NEW EMAIL support. You can have the reports mail:ed to you. (DONT forget
you need to enable it)
*NEW CRON Support by using WINCRON by graysteel@erols.com
*FIX Shortcuts fixed for Stop CODERED (Andreas Ott)
*FIX No File output when running nosql=true (Andreas Ott)
*FIX De-installation fix for Start CODERED in Startup folder. (It tried
to launch
a deleted program after reboot.). (MT)
*FIX Some small detail errors in this readme that was reffering to the
internal release.
Ver 1.00
*NEW First initial release
Ver 0.99
*NEW Released as a private beta. Distributed to IT Europe at my job.
*NEW Added FTP Output reporting.
TODO:
=====
Anticipated for the future:
* faster search mechanism.
* easy configuration.
* add a few more distributable reports.
